Sign up to our newsletter
I recently responded to a couple of comments on one of my articles for WeLiveSecurity – Support desk scams: CLSID not unique -on the CLSID ploy used by tech support scammers in the hope of persuading victims that the scammer really has some insight into the condition of the victim’s PC. This works (sometimes) because the scammer uses the ASSOC command to display the following identifier stored in the Windows Registry at HKEY_CLASSES_ROOTCLSID:
By claiming that the following entry in the Registry is different on every machine, the scammer ‘proves’ that he has information on the victim’s PC (sometimes he may claim that it represents a Computer Licence ID). But it proves nothing of the sort. To quote that blog:
That’s the CLSID on both the PCs open on my desk at the moment … And I bet that if you have a recent version of Windows and go through the same steps you’ll find that you have it too. In other words, the scammer can’t see your CLSID or anything else on your PC … Unless, of course, you fall for the scam and give him remote access with AMMYY or LetMeIn.
And it’s also the number used by the scammer quoted in the comment, who claimed:
…that my computer’s registration number was individual and he would recite it for me to prove he is legitimate.
[In fact, the .zfsendtotarget entry is associated with the compressed (zipped) folder in Microsoft Windows: it tells the system what to do with that option on the Windows Explorer right-click context menu.]
There’s nothing particularly novel about all this: after all, I originally wrote that article about the CLSID ploy, which was then new to me, back in 2011. I don’t know how many people have read it, but apparently at the time of writing 2.6 thousand people have Liked it on Facebook, and it’s attracted 571 comments. So I was slightly surprised to be asked whether the article was part of the scam. :) If it was, you’d think someone would have noticed by now. Still, I’m not one to discourage scepticism: not everyone in the security industry is scrupulously honest. (Oddly enough, we were contacted the same day by someone offering to sell us a domain name that closely resembled the sort of name favoured by tech support scammers. I suppose to be suspected of running fake support scams makes a change from being accused of being responsible for creating malware.)
Back in the real world, however, there were a couple of things I found quite interesting about this story, demonstrating that even an old scam can produce an interesting variation from time to time.
Thinking about it, perhaps that overabundance of Harley articles explains why the commenter was worried that ESET might be involved with the scam: certainly when I search for information on a product and find page after page of links telling me how great it is, I tend to assume the sort of ‘fake reviews and dodgy search engine manipulation’ described here by Brian Krebs, and by Sophos here. (In fact, Virus Bulletin’s Martijn Grooten and I first looked at web site and social media manipulation in the context of support scamming back in 2011.) But since that sort of manipulation isn’t what I saw on that search page, I have to wonder what the scammer thought would turn up that would ‘prove his integrity’. I can only see two likely possibilities.
One explanation might be that he hoped that she would find some technical articles on .COM and CLSID which she wouldn’t understand, or not understand well enough to realize that the CLSID is unique to a class of software object, not the computer on which it happens to be registered. After all, my own experience of support scammers suggests to me that they fall into two main groups:
On the other hand, it occurs to me to wonder whether the scammer in this instance was influenced by a more localized search engine that may be more vulnerable to manipulation. But I really don’t know how likely that is.
Or there may be another scenario that hasn’t occurred to me. What do you think?
Author David Harley, ESET